Mebromi is World's First BIOS Rootkit Running Wild

Security firm Webroot is taking great interest in a new BIOS rootkit discovered by a Chinese company called Qihoo 360. It's called "Mebromi" and it's a particularly nasty piece of code that targets Award BIOSes, but that's not all. It also contains an MBR rootkit, a kernel mode rootkit, a PE file infector, and a Trojan downloader all rolled into one.

Webroot says Mebromi isn't capable of doing harm to 64-bit operating systems, nor can it worm its way into a system if run with limited privileges. And at least for the time being, anyone outside of China needn't worry about Mebromi mucking around their system BIOS.

"The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it's going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus," Webroot explains. "To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory."

Mebromi isn't the first malware to target the BIOS. Back in 1998, a virus called CIH/Chernobyl worked its malicious mojo by exploiting a privilege escalation vulnerability in Windows 9x OSes ultimately giving it the ability to execute in kernel mode. According to Webroot, Mebromi uses no such privilege escalation trickery and only needs to load its own kernel mode driver to weasel into the BIOS.

Webroot says Mebromi is the first real BIOS rootkit incident discovered in the wild, but that's not reason to panic. BIOS rootkits are difficult to code and require "a level of complexity that is simply unasked for writing a good persistent infection."